The Apache Software Foundation has released an emergency security update that fixes a 0-day vulnerability ( CVE-2021-44228 ) in the popular Log4j logging library, which is part of the Apache Logging Project. The patch was released as part of the 2.15.0 release .
The vulnerability was named Log4Shell and scored 10 out of 10 points on the CVSS vulnerability rating scale. The bug allows remote arbitrary code execution (RCE). The problem is aggravated by the fact that yesterday information security researcher p0rz9 already published a PoC exploit on Twitter, and the vulnerability can be exploited remotely, and this does not require special technical skills.
The LunaSec company describes how Log4Shell works: the vulnerability forces Java-based applications and servers that use the Log4j library to log a specific line in their internal systems. When an application or server processes such logs, a string can cause the vulnerable system to load and run a malicious script from the attacker’s controlled domain. The result will be a complete hijacking of the vulnerable application or server.
The problem was originally discovered while searching for bugs on Minecraft servers, but Log4j is present in almost all corporate applications and Java servers. For example, the library can be found in almost all enterprise products released by the Apache Software Foundation, including Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo, and so on. Log4j is also actively used in various open source projects, including Redis, ElasticSearch, Elastic Logstash, Ghidra and others.
Thus, companies using any of these products are also indirectly vulnerable to attacks on Log4Shell, but may even know about it. Information security specialists already report that solutions of such giants as Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, DIDI, JD, NetEase and probably thousands of other companies may be vulnerable to Log4Shell.
Yesterday p0rz9 wrote that CVE-2021-44228 can only be exploited if the log4j2.formatMsgNoLookups parameter is set to false. Edition of The Record reports that, according to the company KnownSec 404 Team, in Log4j 2.15.0 release this parameter is set to true, especially to prevent attacks. This means that Log4j users who have upgraded to version 2.15.0 and then set the flag to false will again be vulnerable to attacks. Moreover, Log4j users who have not updated, but have set the flag to true, will still be able to block attacks even on older versions.
Unfortunately, this also means that all older versions are at risk, where this parameter is set to false by default. That is, all previous releases of Log4j, starting with 2.10.0, are vulnerable.
According to experts from Bad Packets and Greynoise , several attackers are already scanning the network in search of applications that may be vulnerable to Log4Shell, which means that there is almost no time left to install patches.